Azure Information Protection & PowerShell

Posted by

Azure Information Protection is a great tool for labelling and protecting sensitive content. In my previous blogs I showed you the end-user (functional) side of AIP as-well-as the administration side. And I want to focus on that side as-well in this blog. In this blog I will explain some of the PowerShell cmdlets you can use.

PowerShell is an administrators dream. It’s easy to use and very powerful. The AIP client is also provided with a couple of cmdlets which can make your (information protection) live a bit easier. You can use PowerShell to get a report on the label and protection status of your content. And you can also use this to classify and protect your content in bulk.

Can I use PowerShell cmdlets?

First things first. The cmdlets are provided to you with the AIP client. To use the most current version of the PowerShell cmdlets, you will need the minimum AIP client version of And you can use PowerShell to check this as well. Open PowerShell and use this cmdlet:

(get-module azureinformationprotection -listavailable).version

If correct, PowerShell will display the current installed version. In this example, the 1.9.210 preview client.

Available cmdlets

The AIP client comes equipped with a lot of build-in cmdlets. This list is from the Microsoft website:

In this blog I will focus on two: Get-AIPFileStatus and Set-AIPFileLabel. And for this, I have a couple of documents stored locally on my workstation. Only one of these documents has been labelled and protected and that’s the “Azure Information Protection …..” one.

Let’s say I want to know if the “Burgerservicenummer.docx” file is either labelled and/or protected. To this end, I use the cmdlet Get-AIPFileStatus. This cmdlet will return all AIP information: label, RMS policy, and more. I will need to enter the filename, and this gets me:

As you can see, this cmdlet provides me with all AIP information I need.

Should the file be labelled and protected, I expect to see this.

Let’s see this in action.

These videos show you how to get the AIP information of an unlabelled and unprotected file (video 1) and a labelled file (video 2).




Multiple files

Getting the information from a single file might not be the function you are looking for. In most cases you probably need information on a collection of files. For instance, in a specific folder or a specific label. Basically, you just enter the folder you need when using the Get-AIPFileStatus cmdlet.

As a large list of files isn’t very handy, you can export this list to a comma separated file or CSV. You use this cmdlet for this:

Get-AIPFileStatus -path D:\Users\hoitinal\Documents\AIP | Export-Csv -Path C:\temp\demo2.txt

All details of the file will now be stored in a text-file, which you can open with Excel (for example).


It is also possible to add another condition to the cmdlet. For example, you want to have all information on files which have been labelled “Internal”. You use this cmdlet, which also exports the results to a test-file.

Get-AIPFileStatus -Path \\Finance\Projects\ | Where-Object {$_.MainLabelName -eq ‘Internal’} | Export-Csv C:\Reports\AIP-status.csv

These videos show you how to get the AIP information of multiple files in general (video 1) and based on the label-name (video 2).



Setting labels and/or protection

Getting information on the AIP status of files is pretty easy. But you can even use the cmdlets to automatically label and/or protect files. For example, you want to label a document with the label “Internal”. The cmdlet to use is Set-AIPFileLabel. This cmdlet requires the label-id and not the label name. So, look-up this label-id in the Azure Information Protection portal.

This is the cmdlet you use.

Set-AIPFileLabel -path D:\users\hoitinal\documents\AIP\Burgerservicenummer.docx -LabelId ba8a21f7-34b3-4230-a824-49f9a691cb35

This video shows you how to set the AIP label for a file.


Using automatic classification

You can even use PowerShell to scan the content of your files and apply the required label and protection required. This is a very powerful option. It uses the Set-AIPFileClassification cmdlet. When used, the cmdlet will scan every file in the path and apply the relevent policy based on the AIP rules.

More information

There a lot of possibilities of these cmdlets. I haven’t showed you all of them. On this Microsoft webpage you will get all the cmdlets explained. I hope this blog provided some more information.

There are many more cmdlets, mostly for administrative purposes. One thing to keep in mind when using PowerShell (and this is from Microsoft):

Note that if you didn’t run the Set-RMSServerAuthentication command, you will be authenticated to the Azure Rights Management service by using your own user account. If you are on a domain-joined computer, your current credentials will always be used automatically. If you are on a workgroup computer, you will be prompted to sign in to Azure and these credentials are then cached for subsequent commands.



    1. Hi John,

      I don’t think this is going to work. This cmdlet is used for content stored either on the device, netwerk-share or on-premises SharePoint. I haven’t been able to use this on SharePoint Online. You should be able to use the new data-classification at rest, but this does need some arguments for determining the right label. You cannot just label everything with a “default” label. Probably Microsoft’s working on this, but I don’t have any information on that yet. If I find a way to work around this, I will let you (and the rest) know…..

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s